Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Cisco > Cannot get my wan traffic over VPN tunnel

Reply
Thread Tools

Cannot get my wan traffic over VPN tunnel

 
 
SteveB SteveB is offline
Junior Member
Join Date: Oct 2006
Posts: 17
 
      11-01-2007
I have a problem that is best described by viewing a diagram, which is located here.


Basically, we have a working site-site vpn tunnel to a vendor that allows a few machines on our private WAN to access a vendor's ftp server on the other side of the tunnel. The tunnel itself works fine if I am connecting to the remote ftp host from a host on the same subnet as the inside interface on the ASA 5520. The ACLs for the vpn on both firewalls allow traffic from 192.168.3.0 and 150.1.1.237 to pass.

On our WAN subnet, I have a machine at 150.1.1.237 that needs to connect to the vendor ftp server at the other side of the tunnel. On the router on that subnet, I added a route so that if 150.1.1.237 wants to get to 192.168.102.186, send the traffic to 192.168.100.1. The router at 192.168.100.1 has a route to 192.168.102.186 that sends it to 192.168.3.254. The problem is, the packet doesn't get there. If I do a traceroute from 150.1.1.237, the packet goes to the default gateway (150.1.1.1) and then to the fiber connected interface on the other subnet. It dies at 192.168.100.1.

Am I missing something in the VPN configuration to allow the host at 150.1.1.237 to access the tunnel? Any host of 192.168.3.0 can connect fine but 150.1.1.237 cannot. I just wasn't sure if it was a vpn issue or a router issue.
The ACl in the ASA looks like this:
access-list WAV-CLINIC extended permit ip 192.168.3.0 255.255.255.0 host 192.168.102.186
access-list WAV-CLINIC extended permit ip 192.168.3.0 255.255.255.0 host 192.168.102.189
access-list WAV-CLINIC extended permit ip 192.168.3.0 255.255.255.0 host 192.168.102.190
access-list WAV-CLINIC extended permit ip 150.1.1.0 255.255.255.0 host 192.168.102.186
access-list WAV-CLINIC extended permit ip 150.1.1.0 255.255.255.0 host 192.168.102.189
access-list WAV-CLINIC extended permit ip 150.1.1.0 255.255.255.0 host 192.168.102.190

I also have an access list for Nat 0 that looks like this:
access-list nonat extended permit ip 192.168.3.0 255.255.255.0 192.168.102.0 255.255.255.0
access-list nonat extended permit ip 150.1.1.0 255.255.255.0 192.168.102.0 255.255.255.0


The vendor has an ASA and they have mirrored my access lists. Again, I can get to the 192.168.102.186 host from the 192.168.3.0 network, but the host at 150.1.1.237 in the diagram cannot. The tracert dies at 192.168.100.1 even though I have a route in there (ip route 192.168.102.186 255.255.255.255 192.168.3.254) Everything else in our WAN works fine. People on 150 have always been able to browse the net and everything through the ASA. I just can't get that traffic destined for 192.168.102.186 to go out over the tunnel from that network.

Any ideas on what I could be missing?
 

Last edited by SteveB; 11-01-2007 at 08:40 PM..
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
ASA5510 with Cisco VPN client. No traffic over VPN tunnel Locutus Cisco 4 05-19-2008 12:47 AM
WAN, Routing and Switching: Route some IP traffic over tunnel g18c@hotmail.com Cisco 2 01-15-2007 06:50 PM
Site to site VPn tunnel and VPN tunnel Trouble Cisco 1 08-04-2006 08:09 AM
Site to site VPn tunnel and VPN tunnel Trouble Cisco 0 08-04-2006 04:23 AM
Split Tunnel Blocks http through tunnel but passes http around tunnel a.nonny mouse Cisco 2 09-19-2004 12:10 AM



Advertisments